Wednesday, October 14, 2009

The October HIT Standards Committee meeting

As I discussed in yesterday's blog, the focus of the October HIT Standards Committee was Standards adoption and implementation.

The day started with comments from David Blumenthal. He briefly described the Nationwide Healthcare Information Network (NHIN) as an evolving vital element of our national health information strategy. He emphasized that we need to expand the scope of our NHIN thinking to include consumer health information platforms in addition to the provider and government organizations that have been the focus to date. He also noted that we need to move from pilots/prototypes to scalable real world implementations, establishing the right governance mechanism for the NHIN.

The Clinical Operations update followed and included a discussion of gaps in the current work. We started with a discussion of patient access to an EHR. Should we include clinical summaries, the entire record, or the standard data elements that can be exported to commercial PHRs such as Google Health and Microsoft Healthvault? We heard about experiences at Kaiser, Geisinger, BIDMC and others. It's clear that PHR data sharing is very heterogeneous at the moment and that convenience transactions such as appointment making, medication renewal, and referral management may be more important to patients than full access to every aspect of their record. The HIT Policy committee will be asked to define minimum requirements for patient access to EHR data.

We discussed needed enhancements to vocabularies including a national SNOMED-CT to ICD9/ICD10 mapping, RxNorm mapping to National Drug File Reference Terminology (NDF-RT) and Standard Product Labeling (SPL), a standard lab compendium for ordering, UCUM guidance and testing, and a national infrastructure to distribute and maintain codesets. I discussed this need for enhanced vocabulary tools in yesterday's blog. Our action item today was to create a Vocabulary sub-Workgroup that will address these issues and propose priorities and solutions to the entire Committee and ONC.

We heard an update from the Clinical Quality Workgroup about the re-tooling of quality measures to be more EHR-centric. Good progress is being made.

Next, we focused on privacy & security. Dixie Baker and Steve Findlay summarized a few updates to the standards matrix - SOAP 1.2 is the current recommended version and per evolving federal guidelines (NIST SP 800-63-1), Kerberos will be allowed but not required for 2011 because Federal systems will begin disallowing Kerberos in 2013. NIST SP 800-63-1 is cited as implementation guidance for "Level 2" certification criteria for authentication, but we've been careful not to impose Federal FISMA criteria on the private sector.

We discussed enhancements to privacy and security standards efforts, especially for 2013, including:

* A healthcare specific XML schema and vocabulary for representing subject, resource, action, and environmental attributes in security assertions i.e. SAML for healthcare
* A standard XML schema and vocabulary for representing consumer consents i.e. my CAML proposal
* Baseline security and privacy policies for the exchange of EHR information
* Standards for exchanges between the healthcare enterprise and the consumer
* Specification of Health Information Exchange assumptions and associated privacy and security policy. This relates to my blog yesterday in which I noted that policy guidance is really essential to pick the simplest set of security constructs needed to protect confidentiality.

Our action items today were

1. To spend the entire November HIT Standards Committee meeting hearing testimony from stakeholders on Security issues.

2. To work with ONC to ensure seamless communication and coordination between the HIT Policy Committee and HIT Standards Committee regarding privacy and security issues

3. To specify our assumptions for HIE information exchanges and share those assumptions with the Policy Committee so that they could specify a policy framework that then could serve as the basis for constraining security and privacy standards. One of our committee members noted that policy constrains architectural possibilities, enabling selection of the simplest set of standards needed to meet requirements.

Given the emphasis of the meeting on adoption and implementation, we discussed next steps regarding our new Implementation Workgroup. Specifically we will arrange for a day of testimony on October 29 from many stakeholder groups to better understand adoption and implementation issues, needs for enhanced implementation guidance, and identification of enablers that would accelerate interoperability such as new tools or filing standards gaps. We'll also conduct an online forum and accept written testimony. This feedback process is very important to ensure rapid cycle improvement in the standards making and standards selection processes. Per my blog yesterday, this will help with resolving the outstanding common data transport issues.

We ended the meeting with a discussion of the results from the privacy hearings conducted by the HIT Policy Committee on September 18.

Thus, we have action steps to resolve all the issues I raised on my blog yesterday - alignment of policy and standards activities to create the parsimonious set of security standards to protect confidentiality, a working group to resolve outstanding vocabulary issues, and a feedback process to resolve common data transport and other standards adoption/implementation issues.

A great meeting and I look forward to our day of implementation testimony on October 29 and our day of security testimony on November 19.

6 comments:

Ahier said...

Thanks John, I am glad to be able to get your perspective from the meeting. I am also very pleased that next months meeting is taking a deep look at security. I do not see the October 29th meeting listed on the healthit.hhs.gov web site. Do you know when the official meeting announcement will be made?

I am particularly interested in the assumptions for HIE. Interoperability will be a key criteria for meaningful use and I think the eventual development of NHIN will be important to meeting many of our goals for lowering costs and improving quality.

The rough draft transcript from the meeting is again posted here:

http://ahier.blogspot.com/2009/10/hit-standards-meeting-101409.html

John Halamka said...

There should be a federal register posting today announcing the October 29 meeting formally.

David said...

Thanks John. I'm pleased at the new focus on implementation and adoption. But there are still loose ends to tie up so that people know what to implement. Since yesterday's meeting stated that there are some gaps that affect 2011 (including high cost imaging, patient access to EHR, patient education materials) as well as the vocabulary gaps and other gaps looking ahead to 2013, what is the plan specifically for providing guidance for the 2011 items? Will the November HIT SC meeting be dedicated only to Security, or will recommendations to resolve the 2011 gaps be presented at that time?

Ahier said...

Corrected link for the transcript of the 10-14 HIT STandards Meeting

Ken Waldbillig said...

Hello again Dr. The gaps are gritty, however if we conceder mediation logic to assist in the transmographication of heritage systems, we can exert control points and canonical models to assist vendors in the path to more contemporary technologies.

Richard Franck said...

Dr. Halamka,

I don't think many people realize how much the work of the NHIN has contributed in the last 18 months towards several of the "enhancements" you mention in this post:
* SAML for healthcare
* A standard XML schema and vocabulary for representing consumer consents (let's call this one "XACML for healthcare")
* Specification of Health Information Exchange assumptions and associated privacy and security policy.

Taking the last one first, on the NHIN we specified some of those assumptions, key of which are:
* exchange of clinical information between HIEs (that is, the NHIN) is in the form of Clinical Documents
* these Clinical Documents follow HITSP standard formats and have metadata applied to them that can be used for (among other things) applying access restrictions
* all transactions on the NHIN will use a common transport (based on SOAP) and carry assertions about the requesting user's identity, role, and purpose for the request, so that information needed to apply access restrictions is available at the "decision point".

In addition, we specified the "SAML for Healthcare" (for user identity information) and "XACML for Healthcare" (for consumer consents) profiles that you rightly describe as being needed.

At the same time last year, a workgroup in OASIS was formed to address these same areas, and those specifications are currently under ballot in OASIS. Fortunately, several participants in the NHIN were able to join the OASIS working group before those specifications were finalized. Some of the NHIN thinking was adopted into the OASIS specs, and the OASIS standard has been written in to the next version of the NHIN specs that will be published in early 2010.

One reason that many people aren't aware of how much the NHIN has accomplished in this area is that the NHIN committees have operated under the restrictions that come with being formed under a federal contract -- that is, they are closed, with participation limited only to the contractors and federal agencies. But at the same time (I can tell you from experience), there are many people inside the Office of the National Coordinator who don't realize how far we've come, either.

But HITSP has now provided a venue for these specifications to be discussed in an open forum, with the newly created "Consumer Preferences Tiger Team". The name is not exactly right, because Consumer Preferences are only half the story -- your post describes the complete scope of where these concepts need to apply.

I think we can look forward to HITSP moving reasonably quickly to adopt a set of standards to cover the areas that you describe in this post. And I believe that it can be done in a way that supports "Baseline security and privacy policies" but doesn't restrict implementations that want to move beyond those baselines to grant consumers more flexible control.

My request is that those sitting on the HIT Policy and HIT Standards committees, high above the HITSP Tiger Teams and Technical Committees, keep their eye on the ground level so we don't end up forming committees to solve problems for which solutions already exist and are in the process of being specified.